If the logs are showing that the spam is originating from your server, then it's definitely being sent by the server. It's possible that they are spoofing the header messages of the emails. To check this, search for the 'sasl_username' keyword, or try reading an email from the queue and analyse its header files. Also find the IP from your Zimbra or firewall logs, and ban the IP.